From 1d5ae67789ee9b9bb89db4862e18f164d8e08462 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 13 Dec 2012 14:14:22 -0500 Subject: [PATCH] Add upstream patches for CVE-2012-4447, CVE-2012-4564 --- libtiff-CVE-2012-4447.patch | 40 +++++++++++++++++ libtiff-CVE-2012-4564.patch | 86 ++++++++++++++++++++++++++++++++++++ libtiff-am-version.patch | 31 +++++++++++++ libtiff-printdir-width.patch | 20 +++++++++ libtiff.spec | 17 ++++++- 5 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 libtiff-CVE-2012-4447.patch create mode 100644 libtiff-CVE-2012-4564.patch create mode 100644 libtiff-am-version.patch create mode 100644 libtiff-printdir-width.patch diff --git a/libtiff-CVE-2012-4447.patch b/libtiff-CVE-2012-4447.patch new file mode 100644 index 0000000..ebf9a00 --- /dev/null +++ b/libtiff-CVE-2012-4447.patch @@ -0,0 +1,40 @@ +Upstream patch for CVE-2012-4447. + + +diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c +--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400 ++++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500 +@@ -644,6 +644,20 @@ + return bytes; + } + ++static tmsize_t ++add_ms(tmsize_t m1, tmsize_t m2) ++{ ++ tmsize_t bytes = m1 + m2; ++ ++ /* if either input is zero, assume overflow already occurred */ ++ if (m1 == 0 || m2 == 0) ++ bytes = 0; ++ else if (bytes <= m1 || bytes <= m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + static int + PixarLogFixupTags(TIFF* tif) + { +@@ -671,9 +685,11 @@ + td->td_samplesperpixel : 1); + tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); ++ /* add one more stride in case input ends mid-stride */ ++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); + if (tbuf_size == 0) + return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ +- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); ++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) diff --git a/libtiff-CVE-2012-4564.patch b/libtiff-CVE-2012-4564.patch new file mode 100644 index 0000000..3d7946c --- /dev/null +++ b/libtiff-CVE-2012-4564.patch @@ -0,0 +1,86 @@ +Upstream patch for CVE-2012-4564. + + +diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c +--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400 ++++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500 +@@ -72,6 +72,17 @@ + exit(-2); + } + ++static tmsize_t ++multiply_ms(tmsize_t m1, tmsize_t m2) ++{ ++ tmsize_t bytes = m1 * m2; ++ ++ if (m1 && bytes / m1 != m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + int + main(int argc, char* argv[]) + { +@@ -79,7 +90,7 @@ + uint32 rowsperstrip = (uint32) -1; + double resolution = -1; + unsigned char *buf = NULL; +- tsize_t linebytes = 0; ++ tmsize_t linebytes = 0; + uint16 spp = 1; + uint16 bpp = 8; + TIFF *out; +@@ -89,6 +100,7 @@ + int c; + extern int optind; + extern char* optarg; ++ tmsize_t scanline_size; + + if (argc < 2) { + fprintf(stderr, "%s: Too few arguments\n", argv[0]); +@@ -221,7 +233,8 @@ + } + switch (bpp) { + case 1: +- linebytes = (spp * w + (8 - 1)) / 8; ++ /* if round-up overflows, result will be zero, OK */ ++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; + if (rowsperstrip == (uint32) -1) { + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); + } else { +@@ -230,15 +243,31 @@ + } + break; + case 8: +- linebytes = spp * w; ++ linebytes = multiply_ms(spp, w); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, + TIFFDefaultStripSize(out, rowsperstrip)); + break; + } +- if (TIFFScanlineSize(out) > linebytes) ++ if (linebytes == 0) { ++ fprintf(stderr, "%s: scanline size overflow\n", infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ scanline_size = TIFFScanlineSize(out); ++ if (scanline_size == 0) { ++ /* overflow - TIFFScanlineSize already printed a message */ ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ if (scanline_size < linebytes) + buf = (unsigned char *)_TIFFmalloc(linebytes); + else +- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ buf = (unsigned char *)_TIFFmalloc(scanline_size); ++ if (buf == NULL) { ++ fprintf(stderr, "%s: Not enough memory\n", infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } + if (resolution > 0) { + TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); + TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/libtiff-am-version.patch b/libtiff-am-version.patch new file mode 100644 index 0000000..c94c2e0 --- /dev/null +++ b/libtiff-am-version.patch @@ -0,0 +1,31 @@ +Back off the minimum required automake version to 1.11. There isn't +anything in libtiff currently that actually requires 1.12, and changing +this allows the package to be built on pre-F18 machines for easier testing. + +This patch can go away once we no longer care about testing on pre-F18. + + +diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am +--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400 ++++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400 +@@ -25,7 +25,7 @@ + + docdir = $(LIBTIFF_DOCDIR) + +-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign ++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign + ACLOCAL_AMFLAGS = -I m4 + + docfiles = \ +diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am +--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400 ++++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400 +@@ -23,7 +23,7 @@ + + # Process this file with automake to produce Makefile.in. + +-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign ++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign + + LIBTIFF = $(top_builddir)/libtiff/libtiff.la + diff --git a/libtiff-printdir-width.patch b/libtiff-printdir-width.patch new file mode 100644 index 0000000..f41f027 --- /dev/null +++ b/libtiff-printdir-width.patch @@ -0,0 +1,20 @@ +Back-patch upstream patch of 2012-12-12 ("Fix TIFF_VARIABLE/TIFF_VARIABLE2 +confusion in TIFFPrintDirectory"). + + +diff -Naur tiff-4.0.3.orig/libtiff/tif_print.c tiff-4.0.3/libtiff/tif_print.c +--- tiff-4.0.3.orig/libtiff/tif_print.c 2012-08-19 12:56:35.000000000 -0400 ++++ tiff-4.0.3/libtiff/tif_print.c 2012-12-12 16:53:05.355927641 -0500 +@@ -582,10 +582,10 @@ + continue; + + if(fip->field_passcount) { +- if (fip->field_readcount == TIFF_VARIABLE ) { ++ if (fip->field_readcount == TIFF_VARIABLE2 ) { + if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1) + continue; +- } else if (fip->field_readcount == TIFF_VARIABLE2 ) { ++ } else if (fip->field_readcount == TIFF_VARIABLE ) { + uint16 small_value_count; + if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1) + continue; diff --git a/libtiff.spec b/libtiff.spec index 4e194fd..96355cc 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.3 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff Group: System Environment/Libraries @@ -9,6 +9,11 @@ URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz +Patch0: libtiff-am-version.patch +Patch1: libtiff-CVE-2012-4447.patch +Patch2: libtiff-CVE-2012-4564.patch +Patch3: libtiff-printdir-width.patch + BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -58,6 +63,11 @@ image files using the libtiff library. %prep %setup -q -n tiff-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -160,6 +170,11 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Thu Dec 13 2012 Tom Lane 4.0.3-2 +- Add upstream patches for CVE-2012-4447, CVE-2012-4564 + (note: CVE-2012-5581 is already fixed in 4.0.3) +Resolves: #880907 + * Thu Oct 4 2012 Tom Lane 4.0.3-1 - Update to libtiff 4.0.3